Breach Details

On October 30, SSM discovered that a former employee in the customer service call center inappropriately accessed medical records of SSM patients between Feb. 13 and Oct. 20. This incident constituted a privacy breach under the federal Health Insurance Portability and Accountability Act (HIPAA).

The employee had access to PHI, including demographic and clinical information, but did not have access to financial information such as credit card numbers.

SSM determined the former employee accessed patient information from multiple states, but focused on records of a small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area.

SSM decided to notify all 29,000 patients whose records were accessed by this individual, even if the access may have been for legitimate reasons.

In response, SSM has:

Notified the Office for Civil Rights and local law enforcement.

Required an additional identifier when patients request prescription refills from the call center.

Strengthened employee access monitoring tools.

Provided identity theft protection at no charge to affected patients upon request.

Response and Lessons Learned

The response by SSM Health was comprehensive in terms of information shared and resulting actions taken (such as offering credit monitoring). However, there was a 2-month delay between discovery of the data leak and the announcement. In addition, the former employee was inappropriately accessing data many months before the leak was discovered.

Marianna Noll is a Maryland-based writer with an interest in the impact that technology has on organizations and users. She writes about software, user adoption and engagement with software, and IT security.